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ATTACHMENT TO PRE-APPEAL BRIEF REQUEST FOR REVIEW 

The Office Action contains clear error, and the claims should be allowed, for the 
following reasons. Fundamentally, the Office Action does not apply the references to the 
claims — the Office Action applies the references to a reformulation of the claims created solely 
by the Examiner. A rejection that ignores specific claimed features is clearly erroneous. 

Claims 1-20 and 23-24 stand rejected under 35 U.S.C. § 103(a) as allegedly unpatentable 
over Reid et al, U.S. Pat. No. 6,182,226 (hereinafter "Reid") in view of Ray et al, U.S. Pat. No. 
6,587,455 (hereinafter "Ray"\ and further in view of Cheng, U.S. Pat. No. 6,823,462. For 
brevity, this attachment addresses only the independent claims. 
1. The Office Action Ignores Specific Features of the Independent Claims. 

Claim 1 recites: receiving, from an external binding process separate from the address 
server, a binding of a network address to an authenticated user of one of the clients for 
which the policy enforcement point controls access to the network. In applying Reid and 
Ray, the Office Action completely ignores the bold portion. The Office Action states that "the 
address server disclosed by Ray sends the network device an assigned network address, assigned 
by the address server and therefore assigned from an external binding process." But this is not 
what is claimed. The claim refers to receiving a binding of both an address and an 
authenticated user of a client. Ray does not provide both, in a binding. The Office Action 
simply glosses over the distinction. 

The same error occurs with respect to all independent claims addressed in the Office 

Action. 
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2. The Office Action Adopts a Legally Erroneous Definition of "Binding." 

The Office Action recognizes (p. 3) that Reid fails to teach receiving a binding of a 
network address to an authenticated user from an external binding process. To make up for this 
deficiency, the Office Action proposes a broad definition of "binding" and then contends that 
Ray's address allocation is the same as the claimed binding. 

This is incorrect. The Office Action states that applicant does not define binding a 
network address to an authenticated user, and then defines binding as "imposing an obligation." 
While the Office Action fails to provide any source of the suggested definition, "imposing an 
obligation" is a legal definition, not a technical definition, and is not relevant to the subject 
matter of the invention. "A technical term used in a patent document is interpreted as having the 
meaning that it would be given by persons experienced in the field of the invention . . ." Hoechst 
Celanese Corp. v. BP Chems. Ltd., 78 F.3d 1575, 1578, 38 USPQ 1126, 1129 (Fed. Cir. 1996). 
The Office Action errs in adopting a legal definition wholly irrelevant to the technical context of 
binding a network address to an authenticated user. 

An appropriate technical definition given Applicant's art for binding is "to make an 
association between two or more programming objects or value items for some scope of time and 
place." See WhatIS.com, http://whatis.techtarget.com/defmition/0„sid9_gci211662,00.html. See 
also J. Saltzer, "On the Naming and Binding of Network Destinations," IETF Network Working 
Group, Request for Comments: 1498, August 1993; J. Saltzer, "Naming and Binding of 
Objects," 60 Lecture Notes in Computer Science at 99 (Springer- Verlag, 1978) (copies submitted 
concurrently herewith). Computer scientists use "binding" as a noun, analogous to the binding 
of boots or books — something that ties together. The Office Action errs in selecting a verb 
definition of "binding" rather than a noun definition. 

When a correct technical definition is adopted, the address server disclosed by Ray 
cannot correspond to the claimed external binding service. Ray teaches a DHCP server as an 
address server. Applicants teach both a DHCP server for address allocation (FIG. 1 A, DHCP 
server 134) and a separate NABR server for providing user-address bindings (FIG. 1 A, NABR 
server 130). Applicant's specification also highlights the differences in function of these 
elements. Specification, Page 11 lines 20-26 states, "Edge device 122 is communicatively 
coupled to a Network Address Binding Resolution (NABR) server 130, User Registration Tool 
(URT) server 132, and Dynamic Host Configuration Protocol (DHCP) server 134. NABR server 
130 is responsible for carrying out network address binding resolution to bind an authenticated 
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user of a workstation, e.g., workstation 1 18, to a particular static network address such as an IP 
address. . . . DHCP server 134 is responsible for dynamically assigning network addresses to 
devices associated with authenticated end users, e.g., for workstation 118." Therefore, 
contending that Ray's DHCP server correlates to the claimed external binding service is not 
logically consistent with Applicant's disclosure. 

The DHCP server of Ray is not an external binding service. The external binding service 
persistently associates or maps an authenticated user to a particular static network address. In 
Contrast, DHCP merely assigns IP addresses, but does not perform any binding or mapping. As a 
result, one of ordinary skill in the art would not correlate the DHCP server recited in Reid or Ray 
to an external binding service as claimed, or to an NABR server that performs the external 
binding process in applicant's embodiment. 

3. The Office Action Errs In Asserting That The References Contain Technical 
Information That Is Completely Absent 

The reliance of the Office Action on particular parts of Ray is misplaced. The Office 
Action asserts that the steps of "receiving, from an external binding process, a binding of a 
network address to an authenticated user of one of the clients for which the policy enforcement 
point controls access to the network; updating the named group to include the bound network 
address of the authenticated user at the policy enforcement point;" is expressly described in Ray 
(Col. 4, line 65 to col. 5, line 31). This is incorrect. The text cited in Ray for "receiving. . .a 
binding of a network address to an authenticated user" simply describes a method for a device to 
receive a network address from a network server when the device is added to a network (Col. 4, 
line 65 to col. 5, line 31). Ray makes no mention of "an authenticated user," or anything relating 
to authentication, as featured in Claim 1. Further, receiving a binding of an authenticated user to 
a network address is not the same as a network address alone. Ray has no teaching of 
associating, mapping or binding an authenticated user to a network address, or communicating 
such a binding from one place to another. 

This is not a question of interpreting the reference; the fact is that the subject matter 
asserted in the Office Action is simply absent completely from the reference. Stating that a 
reference contains a particular technical teaching, when it has nothing of the kind, is clearly 
erroneous. 

For the claimed feature of "updating the named group to include the bound network 
address of the authenticated user at the policy enforcement point," the Office Action states that 
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"the firewall saves the network address and therefore updates the group to include the new IP 
address." However, updating of a group is significantly different than saving a network address. 
The portion of Ray on which the Office Action relies merely teaches saving a network address 
received from a network device. There is no teaching or suggestion to add the network address 
to a named group. There is no suggestion to combine the address save operation of Ray with any 
other feature or function at all. 

One point of the independent claims is to update a group definition only after receiving a 
binding that associates a network address with an authenticated user. Ray has no such 
suggestion. Ray in combination with Reid would merely provide for saving a network address as 
part of a region definition. But such a combination of references fails to provide the complete 
claimed combination, which performs the update only after receiving a binding of an address to 
an authenticated user. A combination of the cited references fails to provide the security offered 
by the claimed approach. 

Cheng, newly asserted in the Office Action, is alleged to teach the feature of "receiving 
information defining one or more group lists, resource definitions, and definitions of users as 
members of one or more groups in the group lists, wherein the definitions include network 
addresses for the users, wherein the network addresses have been assigned by an address server," 
at col. 7, lines 5-19. But group lists are completely absent from the cited passage, which instead 
describes three ways to create a security policy, and using Internet Key Exchange — which, while 
interesting, having nothing to do with the quoted feature of the claim. 

"To establish prima facie obviousness of a claimed invention, all the claim limitations 
must be taught or suggested by the prior art." In Re Royka, 180 USPQ 580; MPEP § 2143.03. 
The cited prior art does not teach or suggest the foregoing features of each of the independent 
claims. Therefore, the Office Action has failed to present a prima facie case under 35 U.S.C. 
103, and the rejection of independent Claims 1, 13, 19, 20, 23, and 24 is unsupported. 
/// 
/// 
/// 
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Reconsideration is respectfully requested. 

Respectfully submitted, 



Dated: October 12, 2005 



HICKMAN PALERMO TRUONG & BECKER LLP 



Christopher J. Palermo 
Reg. No. 42,056 



2055 Gateway Place Suite 550 
San Jose, California 95110-1089 
Telephone No.: (408) 414-1080x202 
Facsimile No. : (408) 414-1 076 
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